Bug 2013838
Summary: | Different file permission for secrets/user-serving-cert-000/tls.crt and secrets/user-serving-cert-000/tls.key | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | OpenShift BugZilla Robot <openshift-bugzilla-robot> |
Component: | kube-apiserver | Assignee: | Emily Moss <emoss> |
Status: | CLOSED NOTABUG | QA Contact: | Rahul Gangwar <rgangwar> |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | 4.7 | CC: | aos-bugs, emoss, kvatteka, mfojtik, mirollin, mrobson, pawankum, rgangwar, simore, sttts, surbania, suyama, wking, xxia |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | 4.9.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2022-04-27 19:01:35 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1977730, 2026089 | ||
Bug Blocks: |
Comment 2
Xingxing Xia
2021-10-15 03:33:09 UTC
Verified in 4.9.0: Creating a customer apiserver cert (below openssl commands refer to https://github.com/giantswarm/grumpy/blob/instance_migration/gen_certs.sh): # CREATE THE PRIVATE KEY FOR OUR CUSTOM CA openssl genrsa -out certs/ca.key 2048 # GENERATE A CA CERT WITH THE PRIVATE KEY openssl req -new -x509 -key certs/ca.key -out certs/ca.crt -config certs/ca_config.txt # CREATE THE PRIVATE KEY FOR OUR SERVER openssl genrsa -out certs/apiserver.key 2048 # CREATE A CSR FROM THE CONFIGURATION FILE AND OUR PRIVATE KEY SERVER_HOST=`oc whoami --show-server | grep -o 'api[^:]*'` openssl req -new -key certs/apiserver.key -subj "/CN=$SERVER_HOST" -out apiserver.csr -config certs/grumpy_config.txt # CREATE THE CERT SIGNING THE CSR WITH THE CA CREATED BEFORE openssl x509 -req -in apiserver.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial -out certs/apiserver.crt oc create secret tls api-certs --cert=apiserver.crt --key=apiserver.key -n openshift-config oc patch --type=merge apiserver/cluster -p " spec: servingCerts: namedCertificates: - servingCertificate: name: api-certs " Wait for kube-apiserver to finish rollout. Then enter masters, check: # ls -lrt /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/ ... drwxr-xr-x. 2 root root 36 Oct 15 14:15 user-serving-cert-000 # ls -l /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/user-serving-cert-000 -rw-------. 1 root root 1675 Oct 15 14:15 tls.key -rw-------. 1 root root 1261 Oct 15 14:15 tls.crt They have same 600 permission Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.9.4 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:3935 |